ComboFix 10-12-07.06 - mikocorp 08.12.2010 22:36:51.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1015.653 [GMT 1:00]
Spuštěný z: c:\documents and settings\mikocorp\Dokumenty\Stažené soubory\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\mikocorp\Data aplikací\Desktopicon
c:\documents and settings\mikocorp\Data aplikací\Desktopicon\eBay.ico
c:\documents and settings\mikocorp\Data aplikací\Desktopicon\uninst.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-11-08 do 2010-12-08 )))))))))))))))))))))))))))))))
.
2010-12-08 16:09 . 2010-12-08 16:09 -------- d-----w- c:\documents and settings\mikocorp\Data aplikací\Malwarebytes
2010-12-08 16:08 . 2010-12-08 16:08 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2010-12-08 16:08 . 2010-11-29 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-08 16:08 . 2010-12-08 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-08 16:08 . 2010-11-29 16:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 22:10 . 2010-12-07 22:10 -------- d-----w- c:\documents and settings\Administrator
2010-12-03 20:24 . 2010-12-04 12:37 -------- d-----w- c:\documents and settings\mikocorp\Data aplikací\DivX
2010-12-03 20:14 . 2010-12-03 20:24 -------- d-----w- c:\program files\DivX
2010-12-03 20:13 . 2010-12-03 20:24 -------- d-----w- c:\documents and settings\All Users\Data aplikací\DivX
2010-11-28 21:05 . 2010-11-28 21:05 -------- d-----w- c:\documents and settings\mikocorp\Data aplikací\com.amsoft.Autoskola-user.F7413B326E7EE190C62FFECB0195DD73C683900A.1
2010-11-28 21:05 . 2010-11-28 21:05 -------- d-----w- c:\program files\Autoškola testy
2010-11-15 16:15 . 2010-11-15 16:15 -------- d-----w- c:\program files\Digiarty
2010-11-12 17:15 . 2010-11-12 17:15 -------- d-----w- c:\documents and settings\mikocorp\Data aplikací\DVDVideoSoftIEHelpers
2010-11-10 10:17 . 2010-11-10 10:17 -------- d-----w- c:\documents and settings\mikocorp\Data aplikací\Roni Music
2010-11-09 17:14 . 2010-11-09 17:14 -------- d-----w- c:\program files\Roni Music
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-07 19:19 . 2010-02-13 11:50 196608 ----a-w- c:\windows\system32\drivers\nAsmedia.bin
2010-10-18 08:00 . 2010-10-31 18:44 108032 ----a-w- c:\windows\system32\ff_vfw.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 15:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568]
"nwiz"="nwiz.exe" [2007-05-10 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-06-01 380928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SMSender.OE"="c:\program files\O2\SMSender\\SMSender.OE.181.exe" [2009-06-08 28672]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\mikocorp\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-1-15 393216]
c:\documents and settings\mikocorp\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-1-15 393216]
c:\documents and settings\mikocorp\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-1-15 393216]
c:\documents and settings\mikocorp\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-1-15 393216]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:English /KBD:2
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys32V2Contoller]
2010-02-14 23:02 222720 ----a-w- c:\windows\mw2mmgr32\mw2mmgr32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\mikocorp\\Data aplikací\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Casino\\ParadiseCasino\\casino.exe"=
"d:\rapimgr.exe"= d:\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\wcescomm.exe"= d:\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\wcesmgr.exe"= d:\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\vlc-1.0.5\\vlc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2.5.2010 11:00 721904]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29.9.2009 12:02 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29.9.2009 12:05 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [29.9.2009 12:03 735960]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [17.7.2009 14:32 3576320]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [16.7.2002 4:39 26496]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26.2.2010 16:34 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8.12.2010 17:08 38224]
.
Obsah adresáře 'Naplánované úlohy'
2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 15:34]
2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 15:34]
2010-12-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 15:50]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.19\AMVConverter\grab.html
IE: Free YouTube to Mp3 Converter - c:\documents and settings\mikocorp\Data aplikací\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Poslat jako MMS - c:\program files\O2\SMSender\SMSender.E.181.dll/1003
IE: Poslat jako SMS - c:\program files\O2\SMSender\SMSender.E.181.dll/1001
IE: Poslat MMS na - c:\program files\O2\SMSender\SMSender.E.181.dll/1002
IE: Poslat SMS na - c:\program files\O2\SMSender\SMSender.E.181.dll/1000
Trusted Zone: line6.net
FF - ProfilePath - c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://
www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.3&q=
FF - component: c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: ICQ Toolbar: {800b5000-a755-47e1-992b-48a1c1357f07} - c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: TVU Web Player:
firefox@tvunetworks.com - c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\extensions\
firefox@tvunetworks.com
FF - Extension: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Extension: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - c:\documents and settings\mikocorp\Data aplikací\Mozilla\Firefox\Profiles\631aok3y.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Extension: Java Quick Starter:
jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKLM-Run-Driver.exe - (no file)
AddRemove-eBay Icon - c:\documents and settings\mikocorp\Data aplikací\Desktopicon\uninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-12-08 22:48
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: ST3250310AS rev.3.AAC -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-5
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86212EE4]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8589c820; SUB DWORD [EBP-0x4], 0x8589c12e; PUSH EDI; CALL 0xffffffffffffe10c; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86497030]
3 CLASSPNP[0xF75F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x864DAF18]
5 ACPI[0xF7346620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8649AD98]
[0x86384DA0] -> IRP_MJ_CREATE -> 0x86212EE4
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-5 -> \??\IDE#DiskST3250310AS_____________________________3.AAC___#5&bd98cf6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86212CE2
user & kernel MBR OK
sectors 488397166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(2264)
c:\windows\OEHook.dll
c:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\O2\SMSender\SMSender.OE.181.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\rundll32.exe
D:\Wcescomm.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
D:\rapimgr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-12-08 22:51:55 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-12-08 21:51
Před spuštěním: 550 359 040
Po spuštění: 787 017 728
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 04555BF0B4F737A807CDCAF13729F5A3
